This example demonstrates how to configure a RADIUS server and Universal Port for user login. The first part of the example shows the RADIUS server configuration. For more information on RADIUS server configuration, see Security.
# Configure the RADIUS server for the userID and password pair.
# For FreeRADIUS, edit the users file located at /etc/raddb/users as shown in the
# following lines.
#
#Sample entry of using an individual MAC addresses
00040D50CCC3 Auth-Type := EAP, User-Password == "00040D50CCC3"
Extreme-Security-Profile = "phone LOGOFF-PROFILE=clearport;",
Extreme-Netlogin-VLAN = voice
#Sample entry of using wildcard MAC addresses (OUI Method)
00040D000000 Auth-Type := EAP, User-Password == "1234"
Extreme-Security-Profile = "phone LOGOFF-PROFILE=clearport;",
Extreme-Netlogin-VLAN = voice
#Sample entry of using numeric UserID and password
10284 Auth-Type := EAP, User-Password == "1234"
Extreme-Security-Profile = "voip LOGOFF-PROFILE=voip",
Extreme-Netlogin-Vlan = voice
#Sample entry of using a text UserID and password
Sales Auth-Type := EAP, User-Password == "Money"
Extreme-Security-Profile = "Sales-qos LOGOFF-PROFILE=Sales-qos",
Extreme-Netlogin-Vlan = v-sales
# Define the Extreme custom VSAs on RADIUS.
# For FreeRADIUS, edit the dictionary file located at //etc/raddb/dictionary to
# include the following details:
VENDOR Extreme 1916
ATTRIBUTE Extreme-CLI-Authorization 201 integer Extreme
ATTRIBUTE Extreme-Shell-Command 202 string Extreme
ATTRIBUTE Extreme-Netlogin-Vlan 203 string Extreme
ATTRIBUTE Extreme-Netlogin-Url 204 string Extreme
ATTRIBUTE Extreme-Netlogin-Url-Desc 205 string Extreme
ATTRIBUTE Extreme-Netlogin-Only 206 integer Extreme
ATTRIBUTE Extreme-User-Location 208 string Extreme
ATTRIBUTE Extreme-Netlogin-Vlan-Tag 209 integer Extreme
ATTRIBUTE Extreme-Netlogin-Extended-Vlan 211 string Extreme
ATTRIBUTE Extreme-Security-Profile 212 string Extreme
ATTRIBUTE Extreme-CLI-Profile 213 string Extreme
VALUE Extreme-CLI-Authorization Disabled 0
VALUE Extreme-CLI-Authorization Enabled 1
VALUE Extreme-Netlogin-Only Disabled 0
VALUE Extreme-Netlogin-Only Enabled 1
# End of Dictionary
# Add the switch as an authorized client of the RADIUS server.
# For FreeRADIUS, edit the file located at //etc/raddb/clients.conf to include the
# switches as details:
#
client 192.168.10.4 {
secret = purple
shortname = SummitX
# End of clients.conf
The rest of this example demonstrates the configuration that takes place at the ExtremeXOS switch:
# Create the universal port profile for user-authenticate: * switch 1 # create upm profile phone Start typing the profile and end with a . as the first and the only character on a line. Use - edit upm profile <name> - for block mode capability create log message Starting_Script_Phone set var callServer 192.168.10.204 set var fileServer 192.168.10.194 set var voiceVlan voice set var CleanupProfile CleanPort set var sendTraps false # create log message Starting_AUTH-VOIP_Port_$EVENT.USER_PORT #****************************************************** # adds the detected port to the device "unauthenticated" profile port list #****************************************************** create log message Updating_Unauthenticated_Port_List_Port_$EVENT.USER_PORT #****************************************************** # Configure the LLDP options that the phone needs #****************************************************** configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-extreme call-server $callServer configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-extreme file-server $fileServer configure lldp port $EVENT.USER_PORT advertise vendor-specific avaya-extreme dot1q-framing tagged configure lldp port $EVENT.USER_PORT advertise vendor-specific med capabilities # If port is PoE capable, uncomment the following lines #create log message UPM_Script_A-Phone_Finished_Port_$EVENT.USER_PORT . switch 2 # # # Create the universal port profile for user-unauthenticate on the switch: # switch 1 # create upm profile clearport Start typing the profile and end with a . as the first and the only character on a line. Use - edit upm profile <name> - for block mode capability create log message STARTING_Script_CLEARPORT_on_$EVENT.USER_PORT unconfigure lldp port $EVENT.USER_PORT create log message LLDP_Info_Cleared_on_$EVENT.USER_PORT unconfigure inline-power operator-limit ports $EVENT.USER_PORT create log message POE_Settings_Cleared_on_$EVENT.USER_PORT create log message FINISHED_Script_CLEARPORT_on_$EVENT.USER_PORT . * switch 2 # # Configure RADIUS on the edge switch. # * switch 4 # config radius primary server 192.168.11.144 client-ip 192.168.10.4 vr "VR-Default" * switch 5 # config radius primary shared-secret purple # Configure Network Login on the edge switch. # For Network Login 802.1X, use the following command: * switch 7 # create vlan nvlan * switch 8 # config netlogin vlan nvlan * switch 9 # enable netlogin dot1x * switch 10 # enable netlogin ports 11-20 mode mac-based-vlans * switch 11 # enable radius netlogin # # For Network Login MAC-based or OUI method, use the following command: * switch 7 # create vlan nvlan * switch 8 # config netlogin vlan nvlan * switch 9 # enable netlogin mac * switch 10 # config netlogin add mac-list 00:04:0D:00:00:00 24 1234 * switch 11 # enable radius netlogin # Assign the user-authenticate profile to the edge port. # * switch 12 # configure upm event user-authenticate profile "phone" ports 11-20 * switch 13 # # Assign the user-unauthenticate profile to the edge port. # * switch 14 # configure upm event user-unauthenticated profile "clearport" ports 11-20 * switch 15 # # Check that the correct profiles are assigned to the correct ports. # * switch 16 # show upm profile =========================================================== UPM Profile Events Flags Ports =========================================================== phone User-Authenticated e 11-20 clearport User-Unauthenticated e 11-20 =========================================================== Number of UPM Profiles: 5 Number of UPM Events in Queue for execution: 0 Flags: d - disabled, e - enabled Event name: log-message(Log filter name) - Truncated to 20 chars # Enable LLDP message advertisements on the ports. # * switch 17 # enable lldp ports 11-20